Certificate issue in Palo alto firewall

Cybersecon · March 5, 2023, 6:23pm

Hi,

We are created the Virtual host on CentOS 8 . The domain name was configured in noip.com. we can able to download the CSR certificate while we uploading the certificate in the firewall. It is shows as an R3 certificate. It doesn't have any CA name to get sign from external authority because of the issue the certificate is only valid for firewall device itself. we wouldn't able to access the GP clients using this certificate. Kindly give some suggestions regarding this issue.

My domain is testpaloalto.ddns.net

Thanks & Regards
Yougesh

Bruce5051 · March 5, 2023, 6:42pm

Hello @Cybersecon, welcome to the Let's Encrypt community.

Here is a list of issued certificates crt.sh | testpaloalto.ddns.net
The one certificate was issued 2023-03-05

For more details on chains see Long (default) and Short (alternate) Certificate Chains Explained

rg305 · March 6, 2023, 12:19am

R3 is the intermediate CA currently used by LE.
Certificate files don't normally come with the trusted root cert.
[all trusted root certificates should only be provided by the OS and any such updates]
R3 chains to a trusted root.

Please better explain the problem you are having.

orangepizza · March 6, 2023, 12:19am

If you have such a firewall in between your web servers and the Internet (especially a "web application firewall" or "WAF"), and you're having trouble getting or renewing a Let's Encrypt certificate, you should modify your firewall policies and enable acme-protocol connections from the Internet to your servers. The connections in question are only one specific portion of the ACME protocol, but this is apparently the term that now Palo Alto uses in its configuration to refer to them.

after doing thing quote said, run acme client on webserver itself.

rg305 · March 6, 2023, 12:20am

@orangepizza, they were able to get the cert - see pic in OP.
Albeit via CSR file and probably some manual method.

There issue is unclear.

But you may be right; It might be that ACME-Protocol issue.

orangepizza · March 6, 2023, 12:24am

certificate is only valid for firewall device itself.

there is alto firewall in front of centos VM, and cert he see is just for name of firewall itself, in firewall
if he wanted to get a certificate oneself than he should get a new certificate

rg305 · March 6, 2023, 12:28am

What are "GP clients"?

Bruce5051 · March 6, 2023, 1:22am

Supplemental information, there are no Ports Open.

$ nmap -Pn testpaloalto.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-06 01:18 UTC
Nmap scan report for testpaloalto.ddns.net (117.205.114.26)
Host is up.
All 1000 scanned ports on testpaloalto.ddns.net (117.205.114.26) are filtered

Nmap done: 1 IP address (1 host up) scanned in 202.05 seconds

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: testpaloalto.ddns.net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

Bruce5051 · March 6, 2023, 1:25am

From here Chain of Trust - Let's Encrypt

system · April 5, 2023, 1:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.